8 tips to stop banking app fraud

ID theft prevention tips for before and after you download to your smart phone

By Minda Zetlin | Published: February 18, 2011

Having an app from your bank on a smart phone or tablet computer is incredibly convenient, but watch out for fakes.

About a year ago, owners of Android smart phones began downloading mobile banking apps from Google's Android Market. The apps cost about $1.50 each and connected users with about 40 major banks, including Bank of America and Wells Fargo.

There was only one problem: The banks hadn't put them there.

The apps were created by a developer known only as 09Droid whose identity remains a mystery to this day. Once the fraud was discovered, Google removed the apps from its marketplace, but not before many users had downloaded them to their smart phones. The fraudulent apps were apparently intended simply to bilk people out of $1.50 each. Still the threat of phishing -- stealing bank log-in and password info -- was so obvious that many banks recommended that customers who had downloaded them actually have their mobile service provider
remove the apps from their phones.

The deception was only discovered by a fluke. A mobile banking software executive happened to be playing with his wife's Android phone when he noticed an app from a bank that was one of his clients. He knew the app couldn't be legit -- because it if were, his own company would have created it. This raises the alarming possibility that other fraudulent financial apps could still be out there, undiscovered.

As mobile banking is simply too convenient to ignore, is there a way to do it safely? Yes, experts say, if you follow a few precautions.

Before you download a bank or financial app:

1. Consider the app store. Different app stores have different standards for which apps they'll offer to the public. Google's Android Market is famously open, accepting nearly every app developers submit, while Apple's App Store puts apps through rigorous testing first. When the online payment company mPayy wanted to publish its apps, "we just published our app to the Android market, while Apple looked at the entire code base and tried out every feature of the application. We also had to fax our articles of incorporation to Apple," says Conrad Sheehan, mPayy CEO.

Though developers love the free-for-all world of the Android market, users should be cautious when downloading financial apps from there. One good alternative may be a more "curated" market, such as Verizon's Media Store. Another would be to download the app directly from your financial institution's website, or follow a link from there to its Android market app.

A lot of banking apps will ask if you want to save
your password or stay logged in. You definitely don't want to do that on a
mobile device.

-- Chris Wysopal
Veracode

2. Check out the source. If you're downloading a third-party financial or banking app (Mint is one famous example), check out the sponsoring company or developer's website. Look for an "About Us" page, a privacy policy and a news page, preferably with external links to articles about the company. "Find out who owns the domain," Sheehan advises. "You can use Whois Lookup to find the owner of any domain." There are domain-masking services that, for a fee, will hide the true owner of a domain, but if you see one of them, that by itself should raise a red flag.

In addition, check to see if the site itself is clearly written and correctly spelled. "Typos are a remarkably accurate predictor of spoof sites," he adds.

3. See what others are saying. "Most mobile application markets are very good about posting real, live user reviews," says Steve Schultz, chief operating officer of the mobile financial app Pageonce. Look for a large number of reviews because a small number could be fakes put there by the developers themselves. "You should also search social networking sites and check out the Twitter stream about it," Schultz says.

What if there aren't many -- or any -- user reviews? "You
don't ever want to be the first person to try out a banking app," Sheehan says.

4. Try a bookmark instead. Before downloading a banking app, find out if you actually need one to do your online banking. Simply access your bank through your phone's browser. If it has an easy-to-use mobile interface, that might work just as well as an app would have. If you're using a tablet, even the traditional website might work fine for you. If you decide to go this route, it's smart to create a bookmark, both for convenience and to avoid the risk of winding up at a spoof site if you later mistype your bank's URL by mistake. (Creating a fake site with a typo in the Web address is a common tactic of fraudsters.)

After you have a bank or financial app:

1. Password-protect your device. With the growing popularity of financial mobile apps -- not to mention phone-based mobile payments -- you risk financial disaster if your phone or tablet is lost or stolen. Both the app and the device itself should be protected with a password to ensure that no one but you can get into your accounts.

"Make sure the password isn't stored -- you want to type it in each time," says Chris Wysopal, chief technology officer of the app security firm Veracode. "A lot of banking apps will ask if you want to save your password or stay logged in. You definitely don't want to do that on a mobile device."

2. Make sure you know how to remotely wipe your phone or tablet. If your device is ever lost or stolen, you should remotely "wipe" it -- that is remove all your personal data and restore it to its factory state. iPhones and iPads, BlackBerries and Windows 7 devices come with this capability included in their operating systems, and you can download Android apps that will do it as well.

Whichever mobile technology you use, it's a good idea to learn the steps for remotely wiping your device and write those instructions down somewhere that will be easy to find. If your device is ever lost or (especially) stolen. The last thing you want to do is waste time paging around a website or waiting on hold on a support line trying to find out how to wipe it while some stranger is out there with access to all your data.

3. Don't use public Wi-Fi for banking. Most smart phones and tablets can use both wireless Internet and a mobile provider's 3G or 4G network. Make sure you're using the latter and not the former if you're banking or doing anything financial via free Wi-Fi at public places such as restaurants or airports.

Most banking sites and apps have encryption that protects against the most common forms of online eavesdropping. But that may not be good enough, Wysopal says. "Potentially, someone on the same Wi-Fi network as you could do a 'man-in-the-middle' attack," he says. A man-in-the-middle attack is just what it sounds like: A third party inserts itself between you and your financial institution and can collect information about your account -- without you ever knowing it happened.

4. Be alert to changes in your smart phone's functioning. If you download an app, and your phone starts acting differently, such as responding more slowly to commands or draining its battery more quickly, that could be a sign of malicious code, Wysopal says. "Make sure to remove any app that changes the behavior of your phone."

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Contact

Related Sites

ADVERTISER DISCLOSURE
CreditCards.com is an independent, advertising-supported comparison service. The offers that appear on this site
are from companies from which CreditCards.com receives compensation. This compensation may impact how and where
products appear on this site, including, for example, the order in which they appear within listing categories.
Other factors, such as our proprietary website's rules and the likelihood of applicants' credit approval also
impact how and where products appear on the site. CreditCards.com does not include the entire universe of available
financial or credit offers.

CARDMATCH™ is a free, secure service that will not affect your credit score. Simply provide your basic information, and view offers that match your credit profile within seconds.

Advertiser Disclosure

CreditCards.com is an independent, advertising-supported comparison service. The offers that appear on this site are from companies from which CreditCards.com receives compensation. This compensation may impact how and where products appear on this site, including, for example, the order in which they may appear within listing categories. Other factors, such as our own proprietary website rules and the likelihood of applicants' credit approval also impact how and where products appear on this site. CreditCards.com does not include the entire universe of available financial or credit offers.